A product's quality is never better than that of the weakest supplier in its supply chain. In a world where purchased components frequently account for more than 60% of a finished product's cost, supplier management has ceased to be an administrative purchasing function and has become a core discipline within the quality management system. ISO 9001 addresses this in clause 8.4, "control of externally provided processes, products and services," which requires organisations to evaluate, select, monitor performance and re-evaluate their suppliers against defined criteria. This article explains how to do so rigorously: from initial approval through to the dashboard that detects deterioration before it ever reaches the customer.
ISO 9001 Clause 8.4 and the Risk of Outsourcing
Requirement 8.4 is grounded in a fundamental idea: the risk associated with a supply depends on its impact on the final product. A manufacturer of a safety-critical component is not controlled in the same way as a provider of office supplies. The standard requires that criteria be determined and applied for the evaluation, selection, performance monitoring and re-evaluation of suppliers, and that documented information from these activities be retained. This means that a supplier approved three years ago with good scores does not remain approved automatically — they must demonstrate compliance on an ongoing basis.
The organisation must also communicate applicable requirements to the supplier — specifications, personnel competence requirements, interactions, and the control and monitoring the organisation intends to apply at the supplier's premises — before any purchase is made. Ambiguity in communicating requirements is a frequent source of nonconformities that are subsequently attributed to the supplier unfairly.
Selection Criteria: Beyond Price
Rigorous selection weighs several dimensions. The most widely used is the QCD model (Quality, Cost, Delivery), to which modern management adds two increasingly important dimensions: technical capability and service, and sustainability and compliance. A thorough approval framework scores, for example, supplier certifications (ISO 9001, ISO 14001, sector-specific certifications), demonstrated process capability, financial health, contingency plans and, today, ESG criteria and due diligence on human rights and environmental issues.
Due diligence is no longer voluntary for many companies: the EU Corporate Sustainability Due Diligence Directive (CSDDD, Directive 2024/1760) requires large companies to identify and mitigate adverse impacts in their value chains, and this requirement cascades down to supplier approval. Selecting the cheapest option without verifying regulatory compliance amounts to transferring a legal risk onto the organisation itself.
ABC Classification and Criticality Segmentation
Not every supplier warrants the same level of control effort. ABC classification, based on the Pareto principle, segments the supplier portfolio by its share of spend: "A" suppliers (roughly the 20% that accounts for 80% of value) receive on-site audits, concerted quality agreements and joint improvement plans; "B" suppliers receive intermediate monitoring; and "C" suppliers undergo light controls. This economic lens should be cross-referenced with a criticality-risk dimension: a low-spend supplier that is the sole source for a safety part is strategic regardless of its ABC classification. The spend-versus-risk matrix prevents the mistake of neglecting a small supplier whose failure would halt production.
Comparative Table of Control Levels by Category
| Category | Weight / Risk | Evaluation | Monitoring Frequency |
|---|---|---|---|
| A — strategic | High spend or critical | On-site audit + PPAP | Monthly |
| B — important | Medium | Questionnaire + samples | Quarterly |
| C — transactional | Low | Documentary self-assessment | Annual |
| Single source / no alternative | Critical regardless of spend | Audit + contingency plan | Continuous |
The Approval Process Step by Step
Approving a supplier is not simply registering them in a system; it means executing a reproducible procedure. A robust process covers these stages: (1) identifying the need and defining the supply specifications; (2) prospecting and pre-qualification, where a self-assessment questionnaire is sent to gather certifications, capacity, references and financial data; (3) documentary evaluation, cross-checking declared information against evidence (valid certificates, accounts, insurance policies); (4) second-party audit for critical suppliers, in which the organisation itself audits the supplier's system and process at their premises; (5) samples and validation, with testing on actual parts and, in regulated sectors, the PPAP dossier; and (6) approval decision with its classification and conditions.
The second-party audit deserves particular attention because it is where a serious approval process separates itself from a merely formal one. Unlike a third-party audit (conducted by a certification body), a second-party audit is carried out by the customer using its own criteria and focused on what truly matters to it: the process capability for the specific part being purchased, traceability, the supplier's control plan and their nonconformance management. A well-constructed audit checklist does not skim through the supplier's quality manual but instead follows the physical flow of the part from raw material receipt through to dispatch.
Quality Agreement and Contingency Plan
For strategic suppliers, the relationship is formalised in a Quality Agreement that goes beyond the commercial contract: it defines responsibilities regarding change control (the supplier may not modify the process, material or sub-supplier without notifying and obtaining approval), incident notification requirements, quarantine rules and the handling of nonconforming material. Change control is decisive: many field failures originate in a "minor" supplier change that nobody authorised or assessed.
Supply risk management also requires a contingency plan for single sources: qualifying a second source (dual sourcing), maintaining safety stock calculated on lead time and re-qualification lead time, or having a pre-qualified backup supplier even if not currently active. The pandemic and recent logistics disruptions have demonstrated that supply chain resilience is worth as much as its efficiency, and that extreme concentration in a single origin is a strategic vulnerability, not a saving.
Continuous Monitoring: KPIs That Detect Deterioration
Approval is a snapshot; monitoring is the full motion picture. The indicators that make up a robust supplier scorecard are: PPM (defective parts per million) received, OTIF (On Time In Full), nonconformance rate and mean response time to a corrective action (8D). The 8D (Eight Disciplines) methodology structures problem resolution with the supplier: immediate containment (D3), root cause analysis (D4), permanent corrective action (D5–D6) and recurrence prevention (D7). A supplier who closes an 8D with containment but no root cause will fail again.
The scorecard must trigger automatic actions: a supplier that falls below its OTIF threshold for two consecutive months enters an improvement plan; if it fails to recover, its approval is re-evaluated. Monitoring without consequences is a report nobody reads.
Common Errors in Supplier Management
- Selecting on price alone. The total cost of ownership — including rejections, delays and claims — usually disproves the "cheapest" option.
- Approve and forget. Without periodic re-evaluation, clause 8.4 is breached and risk grows unnoticed.
- Not communicating requirements in writing. Nonconformities arising from ambiguity end in dispute, not improvement.
- Closing 8Ds without root cause. Containment silences the symptom, not the cause; the defect reappears.
- Ignoring the single-source supplier. Concentrating critical supply in one source without a contingency plan is a first-order operational risk.
Frequently Asked Questions
Does ISO 9001 require auditing every supplier?
No. Clause 8.4 requires applying controls proportionate to the supply's impact. A critical supplier may require an on-site audit; a transactional one may require only a documentary self-assessment. What is mandatory is having defined criteria and retaining evidence.
What is a good PPM level?
It depends on the sector. The automotive industry works to very demanding targets (often below 50 PPM or even zero defects for safety parts); in other sectors the acceptable threshold is higher. What matters is setting a target, measuring it and demanding improvement against the trend.
What is the 8D methodology for?
It provides a structured framework for resolving problems with suppliers across eight disciplines, ensuring that after immediate containment the root cause is identified and an action is implemented that prevents recurrence.
How does sustainability affect supplier selection?
Increasingly so. Frameworks such as the EU CSDDD extend to the supply chain the obligation of due diligence on human rights and the environment, meaning that supplier approval now incorporates ESG criteria alongside the classic QCD dimensions.
Conclusion
Managing suppliers rigorously means, at its core, outsourcing work without outsourcing risk. ISO 9001 clause 8.4 defines the what — evaluate, select, monitor and re-evaluate — but the how is determined by each organisation: weighing quality, cost and delivery alongside technical capability and regulatory compliance; classifying by the spend-and-criticality matrix to concentrate effort where it hurts most; and maintaining a scorecard of PPM, OTIF and 8D metrics that converts data into decisions. The strategic supplier is not the one that never fails, but the one that closes its nonconformities with root cause identification and measurable improvement. At Summum Quality we help design supplier approval and monitoring frameworks, second-party audits and improvement plans that shield the supply chain against its weakest link.